MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7
SHA3-384 hash: 6ed6123ae23da9980fb8ef720dfa23eb68f817c0496f84fdbb9f27bbc27479411eeec06bc362c2adf475f31ecdd7aa2a
SHA1 hash: da937547baa6c19b4ebe1a73d4ac7196c6d68c07
MD5 hash: de6bdbfe1caa3d8043e8e1ea3f5961ae
humanhash: burger-wyoming-papa-massachusetts
File name:36.bin
Download: download sample
Signature Stop
Create hunting rule
File size:840'192 bytes
First seen:2021-01-08 06:54:23 UTC
Last seen:2021-01-08 09:11:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (235 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 24576:0WprbVkdk+h86E2VlXQAF3lAk+jcPy6bq0sxE2jyBDxCLZlQPf/c:r1B5KlXQAbAkJqqsxE2juDxCLHQPf0
Threatray 1'398 similar samples on MalwareBazaar
TLSH 250512755430A492E4906970C33FEBE8CD13F5614FA518E10D62CEAC19BD7AECAB1AD3
Reporter JAMESWT_WT
Tags:Stop

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36.exe
Verdict:
Malicious activity
Analysis date:
2021-01-08 06:22:25 UTC
Tags:
trojan ransomware stop loader stealer vidar
Link:
https://app.any.run/tasks/be0500fa-fb46-4a4b-ad2e-38c86a07fb5f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Stop-Djvu
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110906/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Sending a UDP request
Deleting a recently created file
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Djvu Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576400
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Found ransom note / readme
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes many files with high entropy
Yara detected Djvu Ransomware
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337252 Sample: 36.bin Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Antivirus detection for URL or domain 2->97 99 9 other signatures 2->99 10 36.exe 1 18 2->10         started        15 36.exe 13 2->15         started        process3 dnsIp4 91 api.2ip.ua 77.123.139.190, 443, 49713, 49716 VOLIA-ASUA Ukraine 10->91 79 C:\Users\user\...\36.exe:Zone.Identifier, ASCII 10->79 dropped 125 Writes many files with high entropy 10->125 17 36.exe 1 29 10->17         started        22 icacls.exe 10->22         started        file5 signatures6 process7 dnsIp8 81 vjsi.top 45.143.137.30, 49719, 49720, 49722 GARANT-PARK-INTERNETRU Russian Federation 17->81 83 api.2ip.ua 17->83 59 C:\Users\user\AppData\Local\...\V010000D.log, DOS 17->59 dropped 61 C:\Users\user\AppData\...\updatewin2.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\updatewin1.exe, PE32 17->63 dropped 65 172 other files (158 malicious) 17->65 dropped 101 Modifies existing user documents (likely ransomware behavior) 17->101 24 5.exe 17->24         started        29 updatewin1.exe 2 17->29         started        31 updatewin2.exe 17->31         started        33 updatewin.exe 17->33         started        file9 signatures10 process11 dnsIp12 85 littlestepfor.com 169.239.128.99, 49730, 49731, 49732 ZAPPIE-HOST-ASZappieHostGB Seychelles 24->85 87 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 24->87 69 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 24->69 dropped 71 C:\Users\user\AppData\...\softokn3[1].dll, PE32 24->71 dropped 73 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 24->73 dropped 77 7 other files (none is malicious) 24->77 dropped 107 Multi AV Scanner detection for dropped file 24->107 109 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->109 111 Tries to steal Instant Messenger accounts or passwords 24->111 123 2 other signatures 24->123 35 cmd.exe 24->35         started        113 Antivirus detection for dropped file 29->113 115 Detected unpacking (overwrites its own PE header) 29->115 37 updatewin1.exe 29->37         started        75 C:\Windows\System32\drivers\etc\hosts, ASCII 31->75 dropped 117 Mutes Antivirus updates and installments via hosts file black listing 31->117 119 Modifies the hosts file 31->119 89 reputinodaedo.pw 104.28.8.109, 443, 49726 CLOUDFLARENETUS United States 33->89 121 Tries to harvest and steal browser information (history, passwords, etc) 33->121 41 cmd.exe 33->41         started        file13 signatures14 process15 file16 43 conhost.exe 35->43         started        45 taskkill.exe 35->45         started        67 C:\Users\user\AppData\Local\script.ps1, ASCII 37->67 dropped 103 Suspicious powershell command line found 37->103 105 Disables the Windows task manager (taskmgr) 37->105 47 powershell.exe 37->47         started        49 powershell.exe 37->49         started        51 conhost.exe 41->51         started        53 timeout.exe 41->53         started        signatures17 process18 process19 55 conhost.exe 47->55         started        57 conhost.exe 49->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-01-02 21:01:03 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
34 of 46 (73.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7ydybjvc3yrbgyzztbejme6dttxebpqdhtfq3eexdbxy526to3q._file
Verdict:
malicious
Similar samples:
22ed8ba56c9a195d2f2b50133b9ba06e6cc0705fd3003cd76c2717547443f3d4
Stop
357155fa11754db1ffbba77378769739d9a1d665914b5706d6dfb6b046ba2c2b
Stop
3dff6f068aaf451982f4cd74c0e6dbda2e214346d33947d8bbf0d71d26b2699f
Stop
4067636da0258032856bcba46483e656841dc9866eed7ee22e2f155eea4b4d70
Stop
6172ae75fca2550266d932f8b7a5bb55fbfd5ac7342136c1082c50a839afb6c1
Stop
9836dae82868c0e7f17114f7fe63e0f5b94f8e99e0c597f43ae12a365458ff69
Stop
af60e77e82cc0ab917461efb7fad074044c7c90959a9b6e118dd5bf379e09d06
Stop
d6640a1ff78ab00ccc4f3388b310325036c34ecd40af501ddddc652fb6f28f3b
Stop
de0916556f63cf540c814626a4098d996a55ea99bfca9cc2032e0f6994c1479d
Stop
f5f817441e672588eb3404816c3afc7adf4a74636414bc897ab818aaf2a71786
Stop
+ 1'388 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:vidar discovery evasion persistence ransomware spyware stealer upx
Link:
https://tria.ge/reports/210108-xfr7j4kebj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Modifies file permissions
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Drops file in Drivers directory
Executes dropped EXE
Modifies extensions of user files
UPX packed file
Deletes Windows Defender Definitions
Djvu Ransomware
Vidar
Unpacked files
SH256 hash:
02ced9f15ecaea4027ce94d826ba46aa599081209d27076ed5845e6bd96a7d8e
MD5 hash:
cb7ff2eb699c22035e7460ae95fb3ed3
SHA1 hash:
3a23ca813e36a74d633c7e50e5d63cc76650e60d
Link:
https://www.unpac.me/results/5a26ae05-c4c5-4d34-9d41-0acc258cd506/
SH256 hash:
cbda983fac748f9251dbcd191e00208c7ddc7fc66d567065b4042e4c0edcf1be
MD5 hash:
af803d5f02a3024bd4902b564b78eb0b
SHA1 hash:
7a54c998125e29cde881b976c995b05175cfa8fb
Detections:
win_stop_auto
Create hunting rule
Link:
https://www.unpac.me/results/5a26ae05-c4c5-4d34-9d41-0acc258cd506/
SH256 hash:
17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7
MD5 hash:
de6bdbfe1caa3d8043e8e1ea3f5961ae
SHA1 hash:
da937547baa6c19b4ebe1a73d4ac7196c6d68c07
Link:
https://www.unpac.me/results/5a26ae05-c4c5-4d34-9d41-0acc258cd506/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Azorult
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/17f03c053516f1109b19ccc244b09e1ce77205f019e6586c84b8c37c775e9bb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110906/

Comments